Connect to and manage a Power BI tenant in Microsoft Purview (Same Tenant)

This article outlines how to register a Power BI tenant in a same-tenant scenario, and how to authenticate and interact with the tenant in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.

Note

The Power BI data source in Microsoft Purview has been renamed to Fabric in all regions. You can still use “Power BI” as the keyword to quickly locate the source to register a Power BI tenant and set up a scan.

Starting from December 13th 2023, scanning Fabric tenants registered with the Fabric data source in Microsoft Purview will capture metadata and lineage from Fabric items including Power BI. There are no other configuration steps needed to enable scanning Fabric items besides Power BI for existing scans. Fabric tenants and Power BI tenants will share the same data source and same experience to set up scans. For scanning a Fabric tenant, see our Fabric documentation.

Graphic showing the renaming of Power BI data source to Fabric.

Supported capabilities

Metadata Extraction Full Scan Incremental Scan Scoped Scan Classification Labeling Access Policy Lineage Data Sharing Live view
Yes Yes Yes Yes No No No Yes No Yes*

* Power BI items in a Microsoft Fabric tenant are available using live view.

When scanning Power BI source, Microsoft Purview supports:

  • Extracting technical metadata including:

    • Workspaces
    • Dashboards
    • Reports
    • Datasets including the tables and columns
    • Dataflows
    • Datamarts
  • Fetching static lineage on assets relationships among above Power BI artifacts and external data source assets. Learn more from Power BI lineage.

For a list of metadata available for Power BI, see our available metadata documentation.

Supported scenarios for Power BI scans

Scenarios Microsoft Purview public access allowed/denied Power BI public access allowed /denied Runtime option Authentication option Deployment checklist
Public access with Azure IR Allowed Allowed Azure Runtime Managed Identity / Delegated authentication / Service principal Review deployment checklist
Public access with Self-hosted IR Allowed Allowed Self-hosted runtime Delegated authentication / Service principal Review deployment checklist
Private access Denied Allowed Managed VNet IR (v2 only) Managed Identity / Delegated authentication / Service principal Review deployment checklist
Private access Allowed Denied Self-hosted runtime Delegated authentication / Service principal Review deployment checklist
Private access Denied Allowed Self-hosted runtime Delegated authentication / Service principal Review deployment checklist
Private access Denied Denied Self-hosted runtime Delegated authentication / Service principal Review deployment checklist

Known limitations

  • If Power BI tenant is protected behind a private endpoint, standard or kubernetes supported self-hosted runtimes are the only options to scan.
  • Delegated authentication and service principal are the only supported authentication options when a self-hosted integration runtime is used during the scan.
  • If Power BI dataset schema isn't shown after scan, it's due to one of the current limitations with Power BI Metadata scanner.
  • Empty workspaces are skipped.
  • Other limits please refer to Microsoft Purview limits.

Prerequisites

Before you start, make sure you have the following prerequisites:

Authentication options

  • Managed Identity
  • Delegated Authentication
  • Service Principal

Deployment checklist

Use any of the following deployment checklists during the setup or for troubleshooting purposes, based on your scenario:

Scan same-tenant Power BI using Azure IR and Managed Identity in public network

  1. Make sure Power BI and Microsoft Purview accounts are in the same tenant.

  2. Make sure Power BI tenant ID is entered correctly during the registration.

  3. Make sure your Power BI Metadata model is up to date by enabling metadata scanning.

  4. From Azure portal, validate if Microsoft Purview account Network is set to public access.

  5. From Power BI tenant Admin Portal, make sure Power BI tenant is configured to allow public network.

  6. In Microsoft Entra tenant, create a security group.

  7. From Microsoft Entra tenant, make sure Microsoft Purview account MSI is member of the new security group.

  8. On the Power BI Tenant Admin portal, validate if Allow service principals to use read-only Power BI admin APIs is enabled for the new security group.

Register Power BI tenant

This section describes how to register a Power BI tenant in Microsoft Purview for same-tenant scenario.

  1. Select the Data Map on the left navigation.

  2. Then select Register.

    Select Fabric as your data source. It includes Power BI sources and assets.

    Image showing the list of data sources available to choose, with the Fabric source highlighted.

  3. Give your data source a name.

    The name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

    By default, the system will find the Fabric tenant that exists in the same Microsoft Entra tenant.

  4. Select the collection where you want to register the source.

  5. Select Register.

Scan same-tenant Power BI

Tip

To troubleshoot any issues with scanning:

  1. Confirm you have completed the deployment checklist for your scenario.
  2. Review our scan troubleshooting documentation.

Authenticate to Power BI tenant

In Microsoft Entra tenant, where Power BI tenant is located:

  1. In the Azure portal, search for Microsoft Entra ID.

  2. Create a new security group in your Microsoft Entra ID, by following Create a basic group and add members using Microsoft Entra ID.

    Tip

    You can skip this step if you already have a security group you want to use.

  3. Select Security as the Group Type.

    Screenshot of security group type.

  4. Add relevant user to the security group:

    • If you're using Managed Identity as authentication method, add your Microsoft Purview managed identity to this security group. Select Members, then select + Add members.

      Screenshot of how to add the catalog's managed instance to group.

    • If you're using delegated authentication or service principal as authentication method, add your service principal to this security group. Select Members, then select + Add members.

  5. Search for your Microsoft Purview managed identity or service principal and select it.

    Screenshot showing how to add catalog by searching for its name.

    You should see a success notification showing you that it was added.

    Screenshot showing successful addition of  catalog managed identity.

Associate the security group with Power BI tenant

  1. Log into the Power BI admin portal.

  2. Select the Tenant settings page.

    Important

    You need to be a Power BI Admin to see the tenant settings page.

  3. Select Admin API settings > Allow service principals to use read-only Power BI admin APIs (Preview).

  4. Select Specific security groups.

    Image showing how to allow service principals to get read-only Power BI admin API permissions.

  5. Select Admin API settings > Enhance admin APIs responses with detailed metadata and Enhance admin APIs responses with DAX and mashup expressions > Enable the toggle to allow Microsoft Purview Data Map automatically discover the detailed metadata of Power BI datasets as part of its scans.

    Important

    After you update the Admin API settings on your power bi tenant, wait around 15 minutes before registering a scan and test connection.

    Image showing the Power BI admin portal config to enable subartifact scan.

    Caution

    When you allow the security group you created (that has your Microsoft Purview managed identity as a member) to use read-only Power BI admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Power BI artifacts in this tenant. Once the metadata has been pulled into the Microsoft Purview, Microsoft Purview's permissions, not Power BI permissions, determine who can see that metadata.

    Note

    You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Microsoft Purview account. You can delete it separately, if you wish.

Create scan for same-tenant Power BI using Azure IR and Managed Identity

This is a suitable scenario, if both Microsoft Purview and Power BI tenant are configured to allow public access in the network settings.

To create and run a new scan, do the following:

  1. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

  2. Navigate to Sources.

  3. Select the registered Power BI source.

  4. Select + New scan.

  5. Give your scan a name. Then select the option to include or exclude the personal workspaces.

    Image showing Power BI scan setup.

    Note

    Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

  6. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem.

    1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
    2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.
    3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

    Screenshot of test connection status report page.

  7. Set up a scan trigger. Your options are Recurring, and Once.

    Screenshot of the Microsoft Purview scan scheduler.

  8. On Review new scan, select Save and run to launch your scan.

    Screenshot of Save and run Power BI source using Managed Identity.

Create scan for same-tenant using self-hosted IR with service principal

This scenario can be used when Microsoft Purview and Power BI tenant or both, are configured to use private endpoint and deny public access. Additionally, this option is also applicable if Microsoft Purview and Power BI tenant are configured to allow public access.

For more information related to Power BI network, see How to configure private endpoints for accessing Power BI.

For more information about Microsoft Purview network settings, see Use private endpoints for your Microsoft Purview account.

To create and run a new scan, do the following:

  1. In the Azure portal, select Microsoft Entra ID and create an App Registration in the tenant. Provide a web URL in the Redirect URI. For information about the Redirect URI see this documentation from Microsoft Entra ID.

    Screenshot how to create App in Microsoft Entra ID.

  2. Take note of Client ID(App ID).

    Screenshot how to create a Service principle.

  3. From Microsoft Entra dashboard, select newly created application and then select App registration. From API Permissions, assign the application the following delegated permissions:

    • Microsoft Graph openid
    • Microsoft Graph User.Read

    Screenshot of delegated permissions on Microsoft Graph.

  4. Under Advanced settings, enable Allow Public client flows.

  5. Under Certificates & secrets, create a new secret and save it securely for next steps.

  6. In Azure portal, navigate to your Azure key vault.

  7. Select Settings > Secrets and select + Generate/Import.

    Screenshot how to navigate to Azure Key Vault.

  8. Enter a name for the secret and for Value, type the newly created secret for the App registration. Select Create to complete.

    Screenshot how to generate an Azure Key Vault secret for SPN.

  9. If your key vault isn't connected to Microsoft Purview yet, you'll need to create a new key vault connection

  10. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

  11. Navigate to Sources.

  12. Select the registered Power BI source.

  13. Select + New scan.

  14. Give your scan a name. Then select the option to include or exclude the personal workspaces.

    Note

    Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

  15. Select your self-hosted integration runtime from the drop-down list.

    Image showing Power BI scan setup using SHIR for same tenant.

  16. For the Credential, select service principal and select + New to create a new credential.

  17. Create a new credential and provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Service principal
    • Tenant ID: Your Power BI tenant ID
    • Client ID: Use Service Principal Client ID (App ID) you created earlier

    Screenshot of the new credential menu, showing Power BI credential for SPN with all required values supplied.

  18. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem

    1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
    2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.
    3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

    Screenshot of test connection status report page.

  19. Set up a scan trigger. Your options are Recurring, and Once.

    Screenshot of the Microsoft Purview scan scheduler.

  20. On Review new scan, select Save and run to launch your scan.

Create scan for same-tenant using self-hosted IR with delegated authentication

This scenario can be used when Microsoft Purview and Power BI tenant or both, are configured to use private endpoint and deny public access. Additionally, this option is also applicable if Microsoft Purview and Power BI tenant are configured to allow public access.

For more information related to Power BI network, see How to configure private endpoints for accessing Power BI.

For more information about Microsoft Purview network settings, see Use private endpoints for your Microsoft Purview account.

To create and run a new scan, do the following:

  1. Create a user account in Microsoft Entra tenant and assign the user to Microsoft Entra role, Fabric Administrator. Take note of username and sign in to change the password.

  2. Assign proper Power BI license to the user.

  3. Navigate to your Azure key vault.

  4. Select Settings > Secrets and select + Generate/Import.

    Screenshot how to navigate to Azure Key Vault.

  5. Enter a name for the secret and for Value, type the newly created password for the Microsoft Entra user. Select Create to complete.

    Screenshot how to generate an Azure Key Vault secret.

  6. If your key vault isn't connected to Microsoft Purview yet, you'll need to create a new key vault connection

  7. Create an App Registration in your Microsoft Entra tenant. Provide a web URL in the Redirect URI.

    Screenshot how to create App in Microsoft Entra ID.

  8. Take note of Client ID(App ID).

    Screenshot how to create a Service principle.

  9. From Microsoft Entra dashboard, select newly created application and then select App registration. Assign the application the following delegated permissions, and grant admin consent for the tenant:

    • Power BI Service Tenant.Read.All
    • Microsoft Graph openid
    • Microsoft Graph User.Read

    Screenshot of delegated permissions on Power BI Service and Microsoft Graph.

  10. Under Advanced settings, enable Allow Public client flows.

  11. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

  12. Navigate to Sources.

  13. Select the registered Power BI source.

  14. Select + New scan.

  15. Give your scan a name. Then select the option to include or exclude the personal workspaces.

    Note

    Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

  16. Select your self-hosted integration runtime from the drop-down list.

    Image showing Power BI scan setup using SHIR for same tenant.

  17. For the Credential, select Delegated authentication and select + New to create a new credential.

  18. Create a new credential and provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Delegated auth
    • Client ID: Use Service Principal Client ID (App ID) you created earlier
    • User name: Provide the username of Fabric Administrator you created earlier
    • Password: Select the appropriate Key vault connection and the Secret name where the Power BI account password was saved earlier.

    Screenshot of the new credential menu, showing Power B I credential with all required values supplied.

  19. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem

    1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
    2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.
    3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

    Screenshot of test connection status report page.

  20. Set up a scan trigger. Your options are Recurring, and Once.

    Screenshot of the Microsoft Purview scan scheduler.

  21. On Review new scan, select Save and run to launch your scan.

    Screenshot of Save and run Power BI source.

Scope your scan

This feature is currently in preview. The Supplemental Terms of Use for Azure Previews include additional legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.

In the Scope your scan stage, data source administrators can scope the scans by specifying the workspaces as needed. Data source administrators can either select from the workspace list under the tenant or directly input the workspace GUIDs to scope the scan. No additional permission is required to use the scoped scan. There are two options available and by default the option "No" is selected and you can directly click on "Continue" to proceed to run a full scan or select the "Yes" to enable the scoped scan experience.

Screenshot that shows the Scope your scan with option No selected.

If the scoped scan is enabled, you will see a list of existing workspaces under the tenant on the left hand side (currently there’s a limitation that the UI selection experience only supports less than 5000 workspaces) and you can select the workspaces and add to the list on the right hand side. If personal workspace is configured as "Include", personal workspaces will show in the workspace list with a prefix "PersonalWorkspace ". You can directly click on the workspace(s) and click on the button "Add to list" to put the workspaces to the list of selected workspaces. You can input keyword of the workspace name or workspace GUID in the search box to filter out the workspace(s) for selection.

Screenshot that shows the Scope your scan with option Yes selected.

You can also directly input the workspace GUID and add it to the list of selected workspaces.

Screenshot that shows the Scope your scan with option Yes selected and manual input.

Note

  • Scoping scan by selecting from Microsoft Fabric or Power BI tenant is only supported when the total number of workspaces is less than 5000 (include or exclude personal workspaces will be considered), or you need to switch to manual input of workspace GUIDs to scope your scan.
  • You can switch between selecting workspaces from Microsoft Fabric or Power BI tenant, or entering workspace GUID manually and the input will be merged into the same list of selected workspaces.
  • Microsoft Purview will check whether the GUID input by user has a correct format but will not check whether the GUID represents a valid workspace in the Microsoft Fabric or Power BI tenant. If invalid GUIDs are included in scoped scan, the scan will complete with exceptions and you can find those invalid GUIDs in the scan log.
  • If personal workspace is configured as “Exclude”, the GUIDs for personal workspaces can still be added to the list of selected workspaces but will be skipped in the scan and these GUIDs will be included in the scan log.
  • If self-hosted integration runtime is used, version 5.40.8836.1 and above is required and only manual input of workspace GUIDs is supported in the scoped scan.
  • If managed VNet integration runtime (v2) is used, only manual input of workspace GUIDs is supported in the scoped scan.

Next steps

Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.